Website Not Forcing HTTPS
- Query id: 488847ff-6031-487c-bf42-98fd6ac5c9a0
- Query name: Website Not Forcing HTTPS
- Platform: AzureResourceManager
- Severity: High
- Category: Insecure Configurations
- URL: Github
Description¶
'Microsoft.Web/sites' should force the use of HTTPS
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - json file
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {},
"functions": [],
"resources": [
{
"name": "webSite",
"type": "Microsoft.Web/sites",
"apiVersion": "2020-12-01",
"location": "location1",
"tags": {},
"properties": {
"enabled": true
},
"resources": []
}
],
"outputs": {}
}
Positive test num. 2 - json file
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {},
"functions": [],
"resources": [
{
"name": "webSite",
"type": "Microsoft.Web/sites",
"apiVersion": "2020-12-01",
"location": "location1",
"tags": {},
"properties": {
"enabled": true,
"httpsOnly": false
},
"resources": []
}
],
"outputs": {}
}
Positive test num. 3 - json file
{
"properties": {
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {},
"functions": [],
"resources": [
{
"name": "webSite",
"type": "Microsoft.Web/sites",
"apiVersion": "2020-12-01",
"location": "location1",
"tags": {},
"properties": {
"enabled": true
},
"resources": []
}
],
"outputs": {}
},
"parameters": {}
},
"kind": "template",
"type": "Microsoft.Blueprint/blueprints/artifacts",
"name": "myTemplate"
}
Positive test num. 4 - json file
{
"properties": {
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {},
"functions": [],
"resources": [
{
"name": "webSite",
"type": "Microsoft.Web/sites",
"apiVersion": "2020-12-01",
"location": "location1",
"tags": {},
"properties": {
"enabled": true,
"httpsOnly": false
},
"resources": []
}
],
"outputs": {}
},
"parameters": {}
},
"kind": "template",
"type": "Microsoft.Blueprint/blueprints/artifacts",
"name": "myTemplate"
}
Code samples without security vulnerabilities¶
Negative test num. 1 - json file
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {},
"functions": [],
"resources": [
{
"name": "webSite",
"type": "Microsoft.Web/sites",
"apiVersion": "2020-12-01",
"location": "location1",
"tags": {},
"properties": {
"enabled": true,
"httpsOnly": true
},
"resources": []
}
],
"outputs": {}
}
Negative test num. 2 - json file
{
"properties": {
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {},
"functions": [],
"resources": [
{
"name": "webSite",
"type": "Microsoft.Web/sites",
"apiVersion": "2020-12-01",
"location": "location1",
"tags": {},
"properties": {
"enabled": true,
"httpsOnly": true
},
"resources": []
}
],
"outputs": {}
},
"parameters": {}
},
"kind": "template",
"type": "Microsoft.Blueprint/blueprints/artifacts",
"name": "myTemplate"
}